Exploitation

Stages

An internal attacker on a domain-attached machine runs the ADInfo tool with configuration options to enumerate local AD server information.

The local AD server responds with queried information.

Prerequisites

The attacker must have utilized some other mechanism to gain access to the local Windows host and have permissions to execute CJWDev’s ADInfo tool.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.

Recommendations for Mitigation

Ensure that all public internet-facing hosts have available patches applied and are sufficiently hardened for public access.